nfkminfo
nfkminfo -w|--world-info [-r|--repeat] [-p|--preload-client-id]Shows you information about the current security world state, the stored security world keys, or the available operator card sets.
For more information, see:
| Option | Description | ||||
|---|---|---|---|---|---|
|
Lists cardsets. |
||||
|
Lists keys. |
||||
|
Lists keys and names, ordered by protection. |
||||
|
Displays the pool of HSMs as a single resource. |
||||
|
Lists softcards. |
||||
|
Specifies that you want to display general information about the security world. This option is set by default, so you do not need to include it explicitly. Flags for this option:
|
||||
Module selection |
|||||
|
Specifies the number ID to use. |
||||
Help options |
|||||
|
Displays help for |
||||
|
Displays a brief usage summary for |
||||
|
Displays the version number of the Security World Software that deploys |
||||
Front panel flags mapped to nfkminfo fields
The following table maps the flags visible on the front panel when you select 3 Security World mgmt > 3-1 Display World Info to the flags in the output of nfkminfo.
| Front panel | nfkminfo |
|---|---|
|
|
|
|
|
|
Module |
|
|
|
|
|
nfkminfo: information utility
The nfkminfo utility displays information about the Security World and the keys and card sets associated with it.
Usage
nfkminfo -w|--world-info [-r|--repeat] [-p|--preload-client-id]nfkminfo -k|--key-list [<APPNAME> [<IDENT>]]nfkminfo -l|--name-list [<APPNAME> [<APPNAME>...]]nfkminfo [-c|--cardset-list]|[-s|--softcard-list] [<TOKENHASH>]nfkminfo --cardset-list [<TOKENHASH>] --key-list [<APPNAME>[<APPNAME>]]|--name-list <APPNAME>[<IDENT>...]]Security World options
-w|--world-info
This option specifies that you want to display general information about the Security World. These options are the default and need not be included explicitly.
-r|--repeat
This option displays the information repeatedly. There is a pause at the end of each set of information. The information is displayed again when you press Enter.
-p|--preload-client-id
This option displays the preloaded client ID value, if any.
Key, card set, and softcard options
-k|--key-list [<APPNAME>[<APPNAME>]]
This option lists keys without key names.
If <APPNAME> is specified, only keys for these applications are listed.
-l|--name-list [<APPNAME>[<IDENT>]]
This option lists keys with their names.
If <APPNAME> is specified, only keys for these applications are listed.
If <IDENT> is listed, only the keys with the specified identifier are listed.
-c|--cardset-list [<TOKENHASH>]
If <TOKENHASH> is not specified, this option lists the card sets associated with the Security World.
The output is similar to this:
Cardset list - 1 cardsets: (P)ersistent/(N)ot, (R)emoteable/(L)ocal-only
Operator logical token hash k/n timeout name <hash> 1/1 none-PL <name>If <TOKENHASH> is specified, these options list the details of the card identified by hash.
The output is similar to this:
Cardset
name "name"
k-out-of-n 1/1
flags Persistent PINRecoveryForbidden(disabled) !RemoteEnabled
timeout none
card names ""
hkltu hash
gentime 2005-10-14 10:56:54
Keys protected by cardset hash:
AppName app Ident keyident
AppName app Ident keyident
... ... ... ...-s|--softcard-list TOKENHASH
This option works like the -c|--cardset-list option, except it lists softcards instead of card sets.
If <TOKENHASH> is not specified, this option lists the softcards associated with the Security World.
Security World output info
If you run nfkminfo with the -w|--world-info option, it displays information similar to that shown in these examples:
generation 1
state 0x70000 Initialised Usable Recovery !PINRecovery
!ExistingClient !RTC !NVRAM !FTO !SEEDebug
n_modules 1
hknso hash_knso
hkm hash_km
hkmwk hash_knwk
hkre hash_kre
hkra hash_kra
ex.client none
......
Module #1
generation 1
state 0x1 Usable
flags 0x10000 ShareTarget
n_slots 2
esn 34F3-9CB4-753B
hkml hash_kml
Module #1 Slot #0 IC 11
generation 1
phystype SmartCard
slotlistflags 0x2
state 0x4 Operator
flags 0x20000 RemoteEnabled
shareno 2
shares
error OK
Cardset
name "fred"
k-out-of-n 1/2
flags NotPersistent
timeout none
card names "" ""
hkltu hash_kt
Module #1 Slot #1 IC 0
generation 1
phystype SmartCard
slotlistflags 0x2 SupportsAuthentication
state 0x4 Admin
flags 0x10000 passphrase
shareno 1
shares LTNSO(PIN) LTM(PIN) LTR(PIN) LTNV(PIN) LTRTC(PIN) LTDSEE(PIN)
LTFTO(PIN)
error OK
No Cardset
No Pre-Loaded ObjectsWorld
nfkminfo reports the following information about the Security World:
generation
This indicates the internal number.
state
This indicates the status of the current world:
|
This indicates that the Security World has been initialized. |
|
This indicates that there is at least one usable HSM in this Security World on this host. |
|
This indicates that there are no usable HSMs in this Security World on this host. |
|
This indicates that the Security World has the OCS and softcard replacement and the key recovery features enabled. |
|
This indicates that the Security World has the OCS and softcard replacement and the key recovery features disabled. |
|
This indicates that additional authorization is required for the following operations:
|
|
This indicates that there is a Client ID set, for example, by |
|
This indicates that no Client ID is set.
The |
|
This indicates that the Security World always generates RSA keys in a manner compliant with FIPS 186-3. |
|
This indicates that the Security World leaves the choice of RSA key generation algorithm to individual clients. |
|
This indicates that the Security World has an SEE Debugging delegation key. |
|
This indicates the Security World has no SEE Debugging delegation key. |
|
This indicates no authorization is required for SEE Debugging. |
|
This indicates that the Security World has the passphrase replacement feature enabled. |
|
This indicates that the Security World has the passphrase replacement feature disabled. |
|
This indicates that the Security World has an FTO delegation key. |
|
This indicates that the Security World has no FTO delegation key. |
|
This indicates that the Security World has an NVRAM delegation key. |
|
This indicates that the Security World has no NVRAM delegation key. |
|
This indicates that the Security World has an RTC delegation key. |
|
This indicates that the Security World has no RTC delegation key. |
|
This indicates that Audit Logging is enabled for this Security World. |
|
This indicates that Audit Logging is not enabled for this Security World. |
n_modules
This indicates the number of nShield HSMs connected to this computer.
hknso
This indicates the SHA-1 hash of the Security Officer’s key.
hkm
This indicates the SHA-1 hash of the Security World key.
hkmwk
This indicates the SHA-1 hash of a dummy key used to load the Administrator Card Set (the dummy key is the same on all HSMs that use Security Worlds and is not secret).
hkre
This indicates the SHA-1 hash of the recovery key pair.
hkra
This indicates the SHA-1 hash of the recovery authorization key.
ex.client
This indicates the ClientID required to use any pre-loaded keys and tokens.
k-out-of-n
This indicates the values of K and N for this Security World.
other quora
This indicates the number (quora) of Administrator Cards (K) required to perform certain other functions as configured for this Security World.
ciphersuite
This indicates the name of the Cipher suite that the Security World uses.
Mode
|
This indicates that the Security World is in an unregulated mode. The Security World can be configured to meet the needs of your security policy. This includes, but is not limited to, creating a Security World that is compliant with FIPS140 Level 2. |
|
This indicates that the Security World is in a mode compliant with FIPS 140 Level 3. |
|
This indicates that the Security World is in a mode compliant with Common Criteria Protection Profile EN 419 221-5, for Cryptographic Modules for Trust Services. |
Assigned Keys
|
This indicates the maximum key usage reauthorization condition for Assigned Keys. (common-criteria-cmts mode only). |
|
This indicates the maximum key timeout reauthorization condition for Assigned Keys (common-criteria-cmts mode only). |
Module
For each HSM in the Security World, nfkminfo reports:
generation
This indicates the version of the HSM data.
state
This indicates one of the following:
|
This indicates that the HSM is in the pre-initialization state. |
|
This indicates that the HSM is in the initialization state. |
|
This indicates that the HSM’s state could not be determined. |
|
This indicates that the HSM is programmed in the current Security World and can be used. |
|
This indicates that the HSM does not have the Security Officer’s key set and that the HSM must be initialized before use. |
|
This indicates that the HSM has module key zero only and that the Security Officer’s key is set to the factory default. |
|
This indicates that the HSM is from an unknown Security World. |
|
This indicates that the HSM is acceleration only. |
|
This indicates that, although the HSM appears to be in the current Security World, |
|
This indicates that the HSM has failed. For nShield HSMs running firmware 2.61.2 and above, use the |
|
This indicates that the HSM is in the maintenance state. |
flags
This displays ShareTarget if the HSM has been initialized to allow reading of remote card sets.
n_slots
This indicates the number of slots on the HSM (there is one slot for each physical smart card reader, one slot for each soft token, one slot for each available Remote Operator slot and one slot for each associated Dynamic Slots).
esn
This indicates the electronic serial number of the HSM (if the HSM is not in the Usable state, the electronic serial number may not be available).
hkml
This indicates the hash of the HSM signing key (if the HSM is not in the Usable state, this value may not be available).
Slot
For each slot on the HSM, nfkminfo reports:
IC
This indicates the insertion count for this slot (which is 0 if there is no card in the slot).
generation
This indicates the version of the slotinfo structure.
phystype
This indicates the type of slot, which can be one of:
-
SmartCard -
SoftToken
slotlistflags
These are flags describing the capabilities of the slot.
Single letters in parentheses are the flag codes reported by the slotinfo utility:
|
|
|
|
|
|
|
|
|
|
|
|
state
This can be one or more of the following flags:
|
This indicates that the smart card in the reader is unformatted. |
|
This indicates that the smart card in the reader is part of the Administrator Card Set. |
|
This indicates that there is no smart card in the reader. |
|
This indicates that the smart card in the reader could not be read (the card may be from a different Security World). |
|
This indicates that the smart card in the reader is an Operator Card. |
flags
This displays passphrase if the smart card requires a passphrase.
shareno
This indicates the number of the card within the card set.
shares
If the card in the slot is an Operator Card, no values are displayed for shares.
If the card in the slot is an Administrator Card, values are displayed indicating what key shares are stored on the card.
Each share is prefixed with the letters LT (Logical Token), and the remaining letters identify the key (for example, the value LTNSO indicates that a share of KNSO, the Security Officer’s key, is stored on the card).
error
This indicates the error status encountered if the smart card could not be read:
|
This indicates that there were no errors. |
|
This indicates that the smart card in the reader failed challenge response authentication (the card may come from a different Security World). |
|
This indicates that there is no card in the reader. |
If you purchased a developer kit, you can refer to the relevant developer documentation for a full list of error codes.
Card set
If there is an Operator Card in the reader, nfkminfo reports:
name
This indicates the name given to this card set.
k-out-of-n
This indicates the values of K and N for this card.
flags
This displays one or more of each of the following pairs of flags:
|
This indicates that the Operator Card is not persistent. |
|
This indicates that the Operator Card is persistent. |
|
This indicates that the card in the slot is not from a Remote Operator Card Set. |
|
This indicates that the card in the slot is from a Remote Operator Card Set. |
|
This indicates that the card in the slot does not have passphrase replacement enabled. This is always true if passphrase replacement is disabled for the Security World. |
|
This indicates that the card in the slot does have passphrase replacement enabled. |
timeout
the period of time in seconds after which the HSM automatically removes the Operator Card Set.
If timeout is set to none, the Operator Card Set does not time out.
card
lists the names of the cards in the set, not all software can give names to individual cards in a set.
hkltu
the SHA-1 hash of the secret on the card.